weired DesFire EV1 Results

Question

I have purchased a number of DesFire EV1 from a HK based Company for a project i'm working on . some of the cards that are supposed to be factory empty had a number of applications on. reading the card properties seemed to identify them as :

"Reiner LoginCard" (or "OWOK", how they name it, https://cardlogin.reiner-sct.com/) - they have been distributed by a german computer magazine ("Computer BILD")" ...

the problem is the following : the command and applications return weired results such as : Max Nb Keys = 0 no settings some applications have a max number of keys = 133 ...

here is a screen capture of the card content. any idea on what causes this ? does this mean that the DesFire EV1 security and anti tampering mecanism kicked in and returns false data ?

Answer 1

The result you show above for the GetKeySettings command (FF 00 91 00) looks like a valid response (assuming that you selected an application other than the PICC level). This gives you

• Key settings = 0xFF:
  • all keys are frozen
  • configuration can be changed
  • free create/delete without master key
  • free directory list without master key
  • application master key is changeable
• Max # of keys = 0x00:
  • application has no keys

Regarding your results:

• An application may have zero keys, so receibving 0x00 for the number of keys is possible.
• 133 is not a vaild value for the maximum number of keys. An application may have at most 14 keys. However, this seems to be a decoding issue in your software. 133 (0x85 in hexadecimal) seems to be the value received from the GetKeySettings command. However, the two most significant bits in that value encode the crypto operation for new keys. So in your case, 0x85 (133) would actually be 5 keys + AES operation.